Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - jfb1337

Pages: [1]
Ah, thanks, I was wondering what the .sym files were for, for some reason it didn't occur to me to look inside them!

Edit: And here is said script:
Code: [Select]
Carbos x90
Master Ball x14
Poké Ball x84
Repel x128
Carbos x24
X Accuracy x134
TM29 x0
Carbos x144
X Accuracy x0
TM01x[Any qty]

Code: [Select]
ld h, $5A
ld bc, $040E ; b = BANK(FontGraphics), c = 14 = how many tiles to copy
ld d, h
ld e, $80 ; de = FontGraphics
ld h, $18
ld l, $86
push hl ; hl = CopyVideoDataDouble
ld h, $90
ld l, $0 ; hl = the tiles in VRAM that come after the digits
ret ; jumps to CopyVideoDataDouble (done this way to avoid glitch items and key items that would result from directly using call or jp)

This turns the tiles beyond the numbers that glitch quantities read from into the letters A through P, so it's easier to see how many items you have / are tossing. (There will also be a bunch of letters all over the background).

The effect goes away when entering/leaving a building, entering/leaving a battle, resetting the game, or closing the PC item menu, and maybe a few other things.

Tested with English blue on BGB.
The ld a, [hld] / ld [hli], a part is what copies the quantity of the item to its index, allowing access to any item index; your script just sets the quantity to 0. But since both are useful behaviours, then I swap the water stones (ld a [hli]) with HP ups (inc hl) if I want to reset the item quantity without setting the index too.

Another question: Is there an easy way to find the memory locations and ROM banks that corresponds to a particular label in the disassembly? I had an idea for a script to make tossing items a bit less tedious by copying the graphics for digits or letters over the place where the game reads tiles for glitch quantities from, so it would be easier to see at a glance how many items you have / are tossing, but I'd need the locations for CopyVideoData and FontGraphics
Thanks! I obtained an 8F on VC blue and got the setup working yesterday, just using normal encounters, in about 3.5 hours.

I made a simple script to easily obtain any item, which s very useful for building other scripts:

Code: [Select]
ldd a, (hl)
ldd a, (hl)
ldi (hl), a
inc b ; filler
ld (hl), 1
dec (hl)
inc b ; filler
which compiles to
Code: [Select]
Dire Hit x58
Water Stone x4
Max revive x1
Revive x4
TM01 x[Any qty]
This sets the index of the 2nd item to its quantity (make sure 8F is the first irem obviously), and it's quantity to 0 for easy tossing to any desired quantity.

This requires only items that can be bought from Celedon dept store, with no missingno duping.

Then, you can use it once to get a Max revive x0 stack, so you can get rid of the revive to compact the script slightly.
MrCheeze's virus patches the first two bytes with jp 78, and at the location it jumps to it then calls the custom code and jumps back to the rest of the OAM script. The custom code sets the a register correctly.

Anyway, this is really cool! I want to add Marill and call it Pikablu to troll my friends
What would be the fastest/easiest way to get a working 8F setup starting from a brand new save file?

I'm guessing it would start out like the standard speedrun route (Brock thru walls to Saffron, encounter missingno via Trainer Fly with Abra, then item underflow) but then use the undereflow to obtain 8F instead... Then what would be the optimal way to get all the pokémon required for the bootstrap? Regular encounters, or trainer fly?
I presume there's not enough space in unused event flags for this right? If not then MrCheese's virus shows that it is at least possible to fit in unused event flags a script that opens SRAM, copies some data from it, and jumps to it; would that be worth doing? Since even if you reset the save file then the memory editor should still still there, you just need to re-do the loading code.
Arbitrary Code Execution Discussion / Re: First R/B virus was made!
« on: March 02, 2017, 11:54:16 am »
Wow, this finally convinced me to get red on VC.

If I manage to get this set up, I want to tell my friends that I want some version exclusives and/or trade evos, to get them to trade with me, then the next week I'd do what Shenanagans did at AGDQ and show them the Mew under the truck under the guise of a mildly interesting glitch to re-board the S.S. Anne.
Will an Arceus caught by this method trigger the HGSS event?
Generation IV Glitch Discussion / Re: Pal Park glitch in foreign versions
« on: September 29, 2016, 06:15:20 am »
This is why Unicode exists, GF!
According to, there seem to be a lot of unused event flags.

Maybe there could be a configuration of them such that combinations of the real flags would only ever spell out opcodes that essentially do nothing (maybe change the registers, but that doesn't matter as we can clear them in the payload).

Also, we don't need to worry about any event flags before the location we jump to, which is D7A3. There are 3 bits worth of event flags there, but they would only allow for opcodes 00 through 07, which are all harmless.

I was originally going to go through the file looking for event flags that could be a problem, and writing 1s before them to make them part of the addresses for a load opcode (into a register), but then I ran into problems with consecutive bytes full of flags. Then I realised it would just be easier to write a jump to one of the unused flags, to jump to the payload.
Since we want to jump to the player name at D887, we could write, say, at D7A7 a jr $+E0. Compiled, that's 18 E0. To write that, we'd need:

Code: [Select]
ld hl, $d7a7
inc b ; nop to avoid glitch items
ld (hl), $18
inc hl
ld (hl), $E0
ld bc $[any] ; another nop to avoid duplication

In items, that's
Code: [Select]
[Any item] x [Any qty]
Thunderstone x 167 ; Not completely without duping, but there's only 1 dupe involved
TM15 x 2
Max revive x 24
HP up x 35
TM24 x 1
[Any item] x [Any qty]
TM01 x [Any qty]

I am very new to asm, so there may be a mistake in this. Also I'm assuming that unused event flags are preserved when saving.

If not, possibly you could use 8F to copy the event flags somewhere else in memory, replace them with NOPs then the cable's payload can fix the save file later by copying it back. But that script would have to be run every time you wanted to do a cable ACE, which is not ideal.
The link in the description was broken, after trying to fix it it just led to the first post on this topic.
Recently, we had some maintaince.

I just watched this video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.

I semi-understand this.
8F executes code from somewhere around your party, then jumps to it, that's why you need a specific party, to form a jump instruction to jump to the third item data, then the code gets executed.
For larger codes you need to make a script I don't remember.
You can get stacks of items over 99 via 'M or Missingno. (all forms).
Yellow has w  s m, which is equal to 8F.

I understand how 8F works, but I don't know how loading the save file after restarting caused arbitrary code to run (in order to display the text and stuff)
I just watched this video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.

The link in the description was broken, after trying to fix it it just led to the first post on this topic.
Could you use 8F to clear the event list back into a NOP sled to upload the game file?

Of course, if you're using 8F you could just code the upload script or the bootloader directly, but I'd rather use the smallest 8F script possible to minimise the chance of making a mistake, especially when SRAM is involved
Pages: [1]